curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set

madmaxio commented 5 years ago

Hello, calling curl from a contaimer,

curl -d "param1=value1&param2=value2" -X POST host_here Getting this error: curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set

Also, it worked a couple of days ago.

rnixik commented 5 years ago

Hi!

Could you be sure that host_here has not been changed recently? Could you check your curl with other host with GOST?

madmaxio commented 5 years ago

Some changes on the server side you mean? I don't know other gost hosts, do you have any examples?

madmaxio commented 5 years ago

Well, I think these are 100% server side changes, but I have no idea what exactly happened, also it is zakupki gov ru.

madmaxio commented 5 years ago

Also, openssl s_client -connect gost.example.com:443 -showcerts works and show certs for my host! So this can be an issue with curl build maybe.

rnixik commented 5 years ago

Also, openssl s_client -connect gost.example.com:443 -showcerts works and show certs for my host! So this can be an issue with curl build maybe.

And what is output? Does it containt something about param set?

madmaxio commented 5 years ago

Here is the stderr, yes some info here:

depth=0 INN = 007710568760, OGRN = 1047797019830, street = "\D0\91\D0\BE\D0\BB\D1\8C\D1\88\D0\BE\D0\B9 \D0\97\D0\BB\D0\B0\D1\82\D0\BE\D1\83\D1\81\D1\82\D0\B8\D0\BD\D1\81\D0\BA\D0\B8\D0\B9 \D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA, \D0\B4.6, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", emailAddress = isfk@roskazna.ru, C = RU, ST = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, O = \D0\A4\D0\B5\D0\B4\D0\B5\D1\80\D0\B0\D0\BB\D1\8C\D0\BD\D0\BE\D0\B5 \D0\BA\D0\B0\D0\B7\D0\BD\D0\B0\D1\87\D0\B5\D0\B9\D1\81\D1\82\D0\B2\D0\BE, OU = \D0\A3\D0\BF\D1\80\D0\B0\D0\B2\D0\BB\D0\B5\D0\BD\D0\B8\D0\B5 \D0\B8\D0\BD\D1\84\D0\BE\D1\80\D0\BC\D0\B0\D1\86\D0\B8\D0\BE\D0\BD\D0\BD\D0\BE\D0\B9 \D0\B8\D0\BD\D1\84\D1\80\D0\B0\D1\81\D1\82\D1\80\D1\83\D0\BA\D1\82\D1\83\D1\80\D0\BE\D0\B9, title = \D0\97\D0\B0\D0\BC\D0\B5\D1\81\D1\82\D0\B8\D1\82\D0\B5\D0\BB\D1\8C \D0\BD\D0\B0\D1\87\D0\B0\D0\BB\D1\8C\D0\BD\D0\B8\D0\BA\D0\B0 \D0\A3\D0\BF\D1\80\D0\B0\D0\B2\D0\BB\D0\B5\D0\BD\D0\B8\D1\8F, CN = zakupki.gov.ru verify error:num=66:EE certificate key too weak verify return:1 depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8 verify error:num=19:self signed certificate in certificate chain 140022237410432:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06/gost_ec_sign.c:82: 140022237410432:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:124: 140022237410432:error:1416F0EF:SSL routines:tls_process_server_certificate:unable to find public key parameters:ssl/statem/statem_clnt.c:1254:

rnixik commented 5 years ago

I found update in GOST lib https://github.com/gost-engine/engine/commit/b2e0f8c6e708e70fcfea9384095aa48f2774af47 Need time to rebuild.

madmaxio commented 5 years ago

Awesome! So you will push update to docker hub?

rnixik commented 5 years ago

I've pushed dev label rnix/openssl-gost:dev and it works with some GOST hosts: docker run --rm rnix/openssl-gost:dev curl https://alpha.demo.nbki.ru -k

But for your host: docker run --rm rnix/openssl-gost:dev curl https://zakupki.gov.ru -k it is

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to zakupki.gov.ru:443

Do you use the client's certificate? It can be the reason of error to me.

madmaxio commented 5 years ago

No, i don't. Same problem for me

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to zakupki.gov.ru:443

madmaxio commented 5 years ago

As far as I understood from googling, this is random server side problem, so this is not fixable without accessing the server itself?

gosha20777 commented 4 years ago

I have the same error when I trying to cinnect to portal.rosreestr.ru:4455

curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
* Rebuilt URL to: https://portal.rosreestr.ru:4455/
*   Trying 217.77.104.130...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set
* Closing connection 0
curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set

but for zakupki.gov.ru:443 it works fine

curl https://zakupki.gov.ru -k
<html>
<head>
    <script language="Javascript" type="text/javascript">
        location.replace("http://zakupki.gov.ru/");
    </script>
</head>
<body>
</body>
</html>

gosha20777 commented 4 years ago

I have tryed to to this commaand

$ openssl s_client -connect portal.rosreestr.ru:4455
CONNECTED(00000003)
depth=0 OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
verify error:num=66:EE certificate key too weak
verify return:1
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
139955203937408:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06/gost_ec_sign.c:82:
139955203937408:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:124:
139955203937408:error:1416F0EF:SSL routines:tls_process_server_certificate:unable to find public key parameters:ssl/statem/statem_clnt.c:1254:
---
Certificate chain
 0 s:/OGRN=1047796940465/INN=007706560536/street=\xD1\x83\xD0\xBB. \xD0\x92\xD0\xBE\xD1\x80\xD0\xBE\xD0\xBD\xD1\x86\xD0\xBE\xD0\xB2\xD0\xBE \xD0\x9F\xD0\xBE\xD0\xBB\xD0\xB5, \xD0\xB4. 4\xD0\x90/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/emailAddress=00_OZIL1@rosreestr.ru/O=\xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80/CN=\xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80
   i:/OGRN=1027700485757/INN=007705401340/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA \xD0\x9E\xD1\x80\xD0\xBB\xD0\xB8\xD0\xBA\xD0\xBE\xD0\xB2, \xD0\xB4\xD0\xBE\xD0\xBC 10, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/OU=\xD0\xA3\xD0\xB4\xD0\xBE\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD0\xB5\xD1\x80\xD1\x8F\xD1\x8E\xD1\x89\xD0\xB8\xD0\xB9 \xD1\x86\xD0\xB5\xD0\xBD\xD1\x82\xD1\x80/O=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"/CN=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"
 1 s:/OGRN=1027700485757/INN=007705401340/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA \xD0\x9E\xD1\x80\xD0\xBB\xD0\xB8\xD0\xBA\xD0\xBE\xD0\xB2, \xD0\xB4\xD0\xBE\xD0\xBC 10, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/OU=\xD0\xA3\xD0\xB4\xD0\xBE\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD0\xB5\xD1\x80\xD1\x8F\xD1\x8E\xD1\x89\xD0\xB8\xD0\xB9 \xD1\x86\xD0\xB5\xD0\xBD\xD1\x82\xD1\x80/O=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"/CN=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"
   i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
 2 s:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
   i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5499 bytes and written 186 bytes
Verification error: self signed certificate in certificate chain
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1574163359
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

and

$ openssl s_client -connect zakupki.gov.ru:443
CONNECTED(00000003)
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4.6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1./emailAddress=isfk@roskazna.ru/C=RU/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/OU=\xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 \xD1\x80\xD0\xB0\xD0\xB7\xD0\xB2\xD0\xB8\xD1\x82\xD0\xB8\xD1\x8F \xD0\xBA\xD0\xBE\xD0\xBD\xD1\x82\xD1\x80\xD0\xB0\xD0\xBA\xD1\x82\xD0\xBD\xD0\xBE\xD0\xB9 \xD1\x81\xD0\xB8\xD1\x81\xD1\x82\xD0\xB5\xD0\xBC\xD1\x8B/title=\xD0\x97\xD0\xB0\xD0\xBC\xD0\xB5\xD1\x81\xD1\x82\xD0\xB8\xD1\x82\xD0\xB5\xD0\xBB\xD1\x8C \xD0\xBD\xD0\xB0\xD1\x87\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xB8\xD0\xBA\xD0\xB0 \xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD1\x8F/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
   i:/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
 1 s:/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
   i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
 2 s:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
   i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIyjCCCHegAwIBAgIUBFAG7EQaVZ2E9sj2xuGCeWQ0VXMwCgYIKoUDBwEBAwIw
ggFtMSAwHgYJKoZIhvcNAQkBFhF1Y19ma0Byb3NrYXpuYS5ydTEZMBcGA1UECAwQ
0LMuINCc0L7RgdC60LLQsDEaMBgGCCqFAwOBAwEBEgwwMDc3MTA1Njg3NjAxGDAW
BgUqhQNkARINMTA0Nzc5NzAxOTgzMDFgMF4GA1UECQxX0JHQvtC70YzRiNC+0Lkg
0JfQu9Cw0YLQvtGD0YHRgtC40L3RgdC60LjQuSDQv9C10YDQtdGD0LvQvtC6LCDQ
tC4gNiwg0YHRgtGA0L7QtdC90LjQtSAxMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAx
CzAJBgNVBAYTAlJVMTgwNgYDVQQKDC/QpNC10LTQtdGA0LDQu9GM0L3QvtC1INC6
0LDQt9C90LDRh9C10LnRgdGC0LLQvjE4MDYGA1UEAwwv0KTQtdC00LXRgNCw0LvR
jNC90L7QtSDQutCw0LfQvdCw0YfQtdC50YHRgtCy0L4wHhcNMTkwNTE2MTE1MTE4
WhcNMjAwODE2MTE1MTE4WjCCAg0xGjAYBggqhQMDgQMBARIMMDA3NzEwNTY4NzYw
MRgwFgYFKoUDZAESDTEwNDc3OTcwMTk4MzAxYDBeBgNVBAkMV9CR0L7Qu9GM0YjQ
vtC5INCX0LvQsNGC0L7Rg9GB0YLQuNC90YHQutC40Lkg0L/QtdGA0LXRg9C70L7Q
uiwg0LQuNiwg0YHRgtGA0L7QtdC90LjQtSAxLjEfMB0GCSqGSIb3DQEJARYQaXNm
a0Byb3NrYXpuYS5ydTELMAkGA1UEBhMCUlUxGTAXBgNVBAgMENCzLiDQnNC+0YHQ
utCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDE4MDYGA1UECgwv0KTQtdC00LXR
gNCw0LvRjNC90L7QtSDQutCw0LfQvdCw0YfQtdC50YHRgtCy0L4xVDBSBgNVBAsM
S9Cj0L/RgNCw0LLQu9C10L3QuNC1INGA0LDQt9Cy0LjRgtC40Y8g0LrQvtC90YLR
gNCw0LrRgtC90L7QuSDRgdC40YHRgtC10LzRizFJMEcGA1UEDAxA0JfQsNC80LXR
gdGC0LjRgtC10LvRjCDQvdCw0YfQsNC70YzQvdC40LrQsCDQo9C/0YDQsNCy0LvQ
tdC90LjRjzE4MDYGA1UEAwwv0KTQtdC00LXRgNCw0LvRjNC90L7QtSDQutCw0LfQ
vdCw0YfQtdC50YHRgtCy0L4wZjAfBggqhQMHAQEBATATBgcqhQMCAiMBBggqhQMH
AQECAgNDAARAXCaZMyoU944U+rIFMaXh+DobfEpZg2I42iPBI7psfVQHa/nRdC5c
LPk2XKOvFs7RgDMu9zFNfLc3yhdP8ZlHAqOCBEIwggQ+MAwGA1UdEwEB/wQCMAAw
HQYDVR0gBBYwFDAIBgYqhQNkcQEwCAYGKoUDZHECMDAGA1UdEQQpMCegEgYDVQQM
oAsTCTUxNjEzMzI0OYYBMIIOemFrdXBraS5nb3YucnUwOwYFKoUDZG8EMgwwItCa
0YDQuNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gNC4wLjk4NDIpMIIB
UQYFKoUDZHAEggFGMIIBQgw00KHQmtCX0JggItCa0YDQuNC/0YLQvtCf0YDQviBD
U1AiICjQstC10YDRgdC40Y8gNC4wKQxo0J/RgNC+0LPRgNCw0LzQvNC90L4t0LDQ
v9C/0LDRgNCw0YLQvdGL0Lkg0LrQvtC80L/Qu9C10LrRgSDCq9Cu0L3QuNGB0LXR
gNGCLdCT0J7QodCiwrsuINCS0LXRgNGB0LjRjyAzLjAMT9Ch0LXRgNGC0LjRhNC4
0LrQsNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYg0KHQpC8xMjQtMzM4
MCDQvtGCIDExLjA1LjIwMTgMT9Ch0LXRgNGC0LjRhNC40LrQsNGCINGB0L7QvtGC
0LLQtdGC0YHRgtCy0LjRjyDihJYg0KHQpC8xMjgtMzU4MSDQvtGCIDIwLjEyLjIw
MTgwDgYDVR0PAQH/BAQDAgPoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjArBgNVHRAEJDAigA8yMDE5MDUxNjExNTExOFqBDzIwMjAwODE2MTE1MTE4WjCC
AWAGA1UdIwSCAVcwggFTgBTA1tYKfWt+yY45vNqJ+q+ULFhajaGCASykggEoMIIB
JDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEY
MBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQ
stCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7Q
vCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQ
uDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcx
MDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHR
gdC40LiCCwC18TLTAAAAAAFaMGwGA1UdHwRlMGMwMKAuoCyGKmh0dHA6Ly9jcmwu
cm9za2F6bmEucnUvY3JsL3VjZmtfZ29zdDEyLmNybDAvoC2gK4YpaHR0cDovL2Ny
bC5mc2ZrLmxvY2FsL2NybC91Y2ZrX2dvc3QxMi5jcmwwHQYDVR0OBBYEFHCJVXFl
nVtF1/qVAN1dGszHB8/OMAoGCCqFAwcBAQMCA0EAuw0I8FH6BPEc8bhitjlEQ611
yQHjZrgQU9bMQkAvGGSwv7HiZk/6eR6MOAddh1/mbg9EkAkjoa1EHhyOQb04bQ==
-----END CERTIFICATE-----
subject=/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4.6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1./emailAddress=isfk@roskazna.ru/C=RU/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/OU=\xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 \xD1\x80\xD0\xB0\xD0\xB7\xD0\xB2\xD0\xB8\xD1\x82\xD0\xB8\xD1\x8F \xD0\xBA\xD0\xBE\xD0\xBD\xD1\x82\xD1\x80\xD0\xB0\xD0\xBA\xD1\x82\xD0\xBD\xD0\xBE\xD0\xB9 \xD1\x81\xD0\xB8\xD1\x81\xD1\x82\xD0\xB5\xD0\xBC\xD1\x8B/title=\xD0\x97\xD0\xB0\xD0\xBC\xD0\xB5\xD1\x81\xD1\x82\xD0\xB8\xD1\x82\xD0\xB5\xD0\xBB\xD1\x8C \xD0\xBD\xD0\xB0\xD1\x87\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xB8\xD0\xBA\xD0\xB0 \xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD1\x8F/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
issuer=/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
---
No client certificate CA names sent
---
SSL handshake has read 5814 bytes and written 401 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : GOST2012-GOST8912-GOST8912
    Session-ID: 4CC927C65EA6A18EFCD75FC547FF3C4D5AF9424515CFE8155D8421E19E6D3BA1
    Session-ID-ctx:
    Master-Key: 261610951BBEC4E2DE08A6EAAF3F7506491419F09702C7A85C2306865EAAEA1B18548CDF0D6CD8B17D323F6BD3C501D7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1800 (seconds)
    TLS session ticket:
    0000 - 2a ff 6e e3 05 57 97 08-a0 c6 61 af 7d 99 82 13   *.n..W....a.}...
    0010 - 06 75 c7 0c fa 0e cd fd-0e eb 52 b5 63 41 9b d9   .u........R.cA..
    0020 - c0 ec f6 24 4e 59 64 85-92 77 2b 4e 2f a0 d8 f6   ...$NYd..w+N/...
    0030 - 0f a1 dd a0 d4 93 73 a9-eb 25 94 1f 2e 9f 2b dd   ......s..%....+.
    0040 - dd 7a d6 54 92 cf 62 1d-c9 be c3 60 1c 78 5b 8a   .z.T..b....`.x[.
    0050 - 13 ab 89 08 36 60 f9 9e-e3 c1 c9 cd 0f 67 9b 3b   ....6`.......g.;
    0060 - d0 53 b2 53 f4 46 46 87-e9 c3 96 7f c0 43 18 10   .S.S.FF......C..
    0070 - 7f a4 da 93 77 ee 67 66-7b 55 da 16 e6 89 eb 2d   ....w.gf{U.....-
    0080 - 75 35 5a c5 bc 12 fc 54-8f 45 9b a2 42 ca 76 dd   u5Z....T.E..B.v.
    0090 - fe 40 dd 77 13 03 1d a7-fd 80 82 fa 16 52 da 48   .@.w.........R.H
    00a0 - 49 58 10 b8 e6 93 63 fc-dc ff 4a 41 47 7d 5d bb   IX....c...JAG}].
    00b0 - 36 e1 0b 74 24 dc 2c f5-be 28 34 3f e5 07 00 57   6..t$.,..(4?...W

    Start Time: 1574163455
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---

May be thats why portal.rosreestr.ru:4455 uses TLSv1.2

gosha20777 commented 4 years ago

If i use :dev tag I have the same output

$ curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
*   Trying 217.77.104.130...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, decode error (562):
* error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
* Closing connection 0
curl: (35) error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error

AND

$  openssl s_client -connect portal.rosreestr.ru:4455
CONNECTED(00000003)
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify return:1
depth=1 OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
verify return:1
depth=0 OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
verify return:1
139634882264704:error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error:ssl/record/rec_layer_s3.c:1588:SSL alert number 50
---
Certificate chain
 0 s:OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
   i:OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
 1 s:OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
   i:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
 2 s:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
   i:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIYjCCCA+gAwIBAgIQdwGwesQM0YbpER4mlTFvQjAKBggqhQMHAQEDAjCCAVEx
GDAWBgUqhQNkARINMTAyNzcwMDQ4NTc1NzEaMBgGCCqFAwOBAwEBEgwwMDc3MDU0
MDEzNDAxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxFTAT
BgNVBAcMDNCc0L7RgdC60LLQsDFHMEUGA1UECQw+0L/QtdGA0LXRg9C70L7QuiDQ
ntGA0LvQuNC60L7Qsiwg0LTQvtC8IDEwLCDRgdGC0YDQvtC10L3QuNC1IDExMDAu
BgNVBAsMJ9Cj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgDEv
MC0GA1UECgwm0KTQk9CR0KMgItCk0JrQnyDQoNC+0YHRgNC10LXRgdGC0YDQsCIx
LzAtBgNVBAMMJtCk0JPQkdCjICLQpNCa0J8g0KDQvtGB0YDQtdC10YHRgtGA0LAi
MB4XDTE5MDIwMTEyMjgyM1oXDTIwMDUwMTEyMjgyM1owggEJMRgwFgYFKoUDZAES
DTEwNDc3OTY5NDA0NjUxGjAYBggqhQMDgQMBARIMMDA3NzA2NTYwNTM2MTMwMQYD
VQQJDCrRg9C7LiDQktC+0YDQvtC90YbQvtCy0L4g0J/QvtC70LUsINC0LiA00JAx
FTATBgNVBAcMDNCc0L7RgdC60LLQsDEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCw
MQswCQYDVQQGEwJSVTEkMCIGCSqGSIb3DQEJARYVMDBfT1pJTDFAcm9zcmVlc3Ry
LnJ1MRswGQYDVQQKDBLQoNC+0YHRgNC10LXRgdGC0YAxGzAZBgNVBAMMEtCg0L7R
gdGA0LXQtdGB0YLRgDBoMCEGCCqFAwcBAQEBMBUGCSqFAwcBAgEBAQYIKoUDBwEB
AgIDQwAEQMofcnX99LccMrE/8BK8dlTEYkKjUf8c2Wj369d2Ewhwr4wn+5gTqMIT
Gkd/9fsexJnF2KSqy8KZdc/Y3KnDKYujggT8MIIE+DAOBgNVHQ8BAf8EBAMCA/gw
HQYDVR0OBBYEFAs/j7paw54fKod0PWJd6ijvswnXMIIBXwYDVR0jBIIBVjCCAVKA
FIG1Bek3vXBRhBCWIYAuB5IBuflJoYIBLKSCASgwggEkMR4wHAYJKoZIhvcNAQkB
Fg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+
0YHQutCy0LAxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxLjAsBgNVBAkMJdGD
0LvQuNGG0LAg0KLQstC10YDRgdC60LDRjywg0LTQvtC8IDcxLDAqBgNVBAoMI9Cc
0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MRgwFgYFKoUDZAESDTEw
NDc3MDIwMjY3MDExGjAYBggqhQMDgQMBARIMMDA3NzEwNDc0Mzc1MSwwKgYDVQQD
DCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuIIKF5yzqQAAAAAA
mzBFBgNVHSUEPjA8BggrBgEFBQcDAgYIKwYBBQUHAwQGByqFAwICIgYGCSqFAwUB
GAICBQYIKwYBBQUHAwEGCCqFAwJAAQEBMB0GA1UdIAQWMBQwCAYGKoUDZHEBMAgG
BiqFA2RxAjBGBgNVHREEPzA9pCYwJDEiMCAGCSqGSIb3DQEJCAwT0JLQtdCxLdGB
0LXRgNCy0LjRgYITcG9ydGFsLnJvc3JlZXN0ci5ydTArBgNVHRAEJDAigA8yMDE5
MDIwMTEyMjgyM1qBDzIwMjAwNTAxMTIyODIzWjCCAb4GBSqFA2RwBIIBszCCAa8M
UNCh0JrQl9CYICLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiDQstC10YDRgdC40Y8g
NC4wICjQuNGB0L/QvtC70L3QtdC90LjQtSAyLUJhc2UpDIG4ItCf0YDQvtCz0YDQ
sNC80LzQvdC+LdCw0L/Qv9Cw0YDQsNGC0L3Ri9C5INC60L7QvNC/0LvQtdC60YEg
ItCj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgCAi0JrRgNC4
0L/RgtC+0J/RgNC+INCj0KYiINCy0LXRgNGB0LjQuCAyLjAiICjQstCw0YDQuNCw
0L3RgiDQuNGB0L/QvtC70L3QtdC90LjRjyA1KQxP0KHQtdGA0YLQuNGE0LjQutCw
0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGPIOKEliDQodCkLzEyNC0zNTcwINC+
0YIgMTQuMTIuMjAxOAxP0KHQtdGA0YLQuNGE0LjQutCw0YIg0YHQvtC+0YLQstC1
0YLRgdGC0LLQuNGPIOKEliDQodCkLzEyOC0yOTgzINC+0YIgMTguMTEuMjAxNjA/
BgUqhQNkbwQ2DDTQodCa0JfQmCAi0JrRgNC40L/RgtC+0J/RgNC+IENTUCIgKNCy
0LXRgNGB0LjRjyA0LjApMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly91Yy5rYWRh
c3RyLnJ1L3Jldm9rZS9pbmRleC9yZXZva2VkNC5jcmwwRQYIKwYBBQUHAQEEOTA3
MDUGCCsGAQUFBzAChilodHRwOi8vdWMua2FkYXN0ci5ydS9yb290L2luZGV4L3Jv
b3Q0LmNlcjAKBggqhQMHAQEDAgNBAOTI8jLgDKKRoTmv1VSbvqgrkwdkWcVGds5y
HXsU/FydN2JPt5ZoQoMRjTmyNw0HXN5usPyreF0u9VZRWIV1yUI=
-----END CERTIFICATE-----
subject=OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80

issuer=OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"

---
Acceptable client certificate CA names
OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
Client Certificate Types: GOST01 Sign, UNKNOWN (238),, UNKNOWN (239),
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:gost2001+md_gost94:gost2012_256+md_gost12_256:gost2012_512+md_gost12_512
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:gost2001+md_gost94:gost2012_256+md_gost12_256:gost2012_512+md_gost12_512
---
SSL handshake has read 6209 bytes and written 550 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : GOST2012-GOST8912-GOST8912
    Session-ID:
    Session-ID-ctx:
    Master-Key: D1E7A5E3D0D6AF33850343FB062942C1C896671782464F282597161E8963409B443336608B502018DB01DFC535595158
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1574164010
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---

gosha20777 commented 4 years ago

I ve revrite gost-engine and rebuild it ofr tls v1.2 support you can see it in gpsha20777/openssl-gost:dev image all working fine

rnixik commented 4 years ago

@gosha20777 I run command on your image docker run --rm gosha20777/openssl-gost:dev curl https://portal.rosreestr.ru:4455 -k -v and got the same error

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 217.77.104.130:4455...
* TCP_NODELAY set
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [64 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2160 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [682 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [171 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS alert, decode error (562):
{ [2 bytes data]
* error:1400041A:SSL routines::tlsv1 alert decode error
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:1400041A:SSL routines::tlsv1 alert decode error

What do you mean "all working fine"?

gosha20777 commented 4 years ago

@rnixik it is very strange site. Sometimes it works, but sometimes not. I am was update nginx and opensssl to the latest version. This site have some problems. But when it works it works only on my version of openssl-gost. I dont know why.

gosha20777 commented 4 years ago

it was yesterday at 9pm

root@dbbc7f1a4ad9:/c/workspace# curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
*   Trying 217.77.104.130:4455...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / GOST2012-GOST8912-GOST8912
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OGRN=1047796940465; INN=007706560536; street=\U0443\U043B. \U0412\U043E\U0440\U043E\U043D\U0446\U043E\U0432\U043E \U041F\U043E\U043B\U0435, \U0434. 4\U0410; L=\U041C\U043E\U0441\U043A\U0432\U0430; ST=77 \U041C\U043E\U0441\U043A\U0432\U0430; C=RU; emailAddress=00_OZIL1@rosreestr.ru; O=\U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440; CN=\U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440
*  start date: Feb  1 12:28:23 2019 GMT
*  expire date: May  1 12:28:23 2020 GMT
*  issuer: OGRN=1027700485757; INN=007705401340; C=RU; ST=77 \U041C\U043E\U0441\U043A\U0432\U0430; L=\U041C\U043E\U0441\U043A\U0432\U0430; street=\U043F\U0435\U0440\U0435\U0443\U043B\U043E\U043A \U041E\U0440\U043B\U0438\U043A\U043E\U0432, \U0434\U043E\U043C 10, \U0441\U0442\U0440\U043E\U0435\U043D\U0438\U0435 1; OU=\U0423\U0434\U043E\U0441\U0442\U043E\U0432\U0435\U0440\U044F\U044E\U0449\U0438\U0439 \U0446\U0435\U043D\U0442\U0440; O=\U0424\U0413\U0411\U0423 "\U0424\U041A\U041F \U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440\U0430"; CN=\U0424\U0413\U0411\U0423 "\U0424\U041A\U041F \U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440\U0430"
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: portal.rosreestr.ru:4455
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Tue, 19 Nov 2019 13:27:52 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Fri, 08 Feb 2019 18:42:37 GMT
< Connection: keep-alive
< ETag: "5c5dcd9d-264"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host portal.rosreestr.ru left intact

rnixik commented 4 years ago

Anyway, I've updated versions of libs and pushed new image. Error 'unsupported parameter set' is gone. Now we have

curl: (35) error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error

for https://portal.rosreestr.ru:4455 and currently I don't know how to solve it. Is it working with any other applications?

gosha20777 commented 4 years ago

@rnixik yes it works with other sites. But with this site it work SOMETIMES. I dont know why... I think that the problem in this site...

gosha20777 commented 4 years ago

Can you also update nginx? to 1.17+ and openssl to 1.1.1d?

gosha20777 commented 4 years ago

look at here https://github.com/gosha20777/openssl-gost/blob/master/nginx-gost/Dockerfile

I am not sure that I have done everything currect... But it works in some apps.

I think that may be I need copy gost.so and costdum gostum.1.1 etc to some dir..

ghost commented 4 years ago

Hi everyone! I have same problem. I found something:

Host portal.rosreestr.ru:4455 has certificate rosreestr.pem. In openssl with gost engine this certificate throws same error when openssl trying decode public key of certificate. Command:

> openssl x509 -noout -text -in rosreestr.pem
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        77:01:b0:7a:c4:0c:d1:86:e9:11:1e:26:95:31:6f:42
    Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
    Issuer: OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
    Validity
        Not Before: Feb  1 12:28:23 2019 GMT
        Not After : May  1 12:28:23 2020 GMT
    Subject: OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
    Subject Public Key Info:
        Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
        Unable to load Public Key
140336769119296:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/gost/gost-engine/engine/gost_ec_sign.c:82:
140336769119296:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:125:
    ...

However CryptoPro CSP parse public key from portal.rosreestr.ru:4455 successfully (example in IE).
I know another gost host with same connection parameters: services.technokad.ru:443 but which connecting with no errors.
With web tool http://gostcrypto.com/demo-cp-keys.html I parsed certificates (rosreestr.pem and technokad.pem) from both hosts and saw different elliptical curves settings.

technokad.pem

...
subjectPublicKeyInfo: {
        algorithm: {
            name: "GOST R 34.10-256",
            id: "id-tc26-gost3410-12-256",
            namedCurve: "X-256-A"
        },
...

rosreestr.pem

...
subjectPublicKeyInfo: {
        algorithm: {
            name: "GOST R 34.10-256",
            id: "id-tc26-gost3410-12-256",
            namedCurve: "T-256-A"
        },
...

Differences

It seems that openssl simple not supporting curve with code T-256-A. What is this curve? Do you have success with your problem? Thanks.

rosreestr.pem from portal.rosreestr.ru:4455

technokad.pem from services.technokad.ru:443

rnixik commented 4 years ago

@zubosem Great examples! Could you create the issue in the gost-engine https://github.com/gost-engine/engine/issues with your observations please?

ghost commented 4 years ago

Ok. Good idea. I already did it https://github.com/gost-engine/engine/issues/188

rnixik commented 4 years ago

@zubosem I thought you've worked with the latest version of image. I checked and it is working:

docker pull rnix/openssl-gost && docker run --rm -i -t -v `pwd`:`pwd` -w `pwd` rnix/openssl-gost openssl x509 -noout -text -in rosreestr.pem

Result:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            77:01:b0:7a:c4:0c:d1:86:e9:11:1e:26:95:31:6f:42
        Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
        Issuer: OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
        Validity
            Not Before: Feb  1 12:28:23 2019 GMT
            Not After : May  1 12:28:23 2020 GMT
        Subject: OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
                Public key:
                   X:70081376D7EBF768D91CFF51A34262C45476BC12F03FB1321CB7F4FD75721FCA
                   Y:8B29C3A9DCD8CF7599C2CBAAA4D8C599C41EFBF57F471A13C2A81398FB278CAF
                Parameter set: GOST R 34.10-2012 (256 bit) ParamSet A
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Subject Key Identifier: 
                0B:3F:8F:BA:5A:C3:9E:1F:2A:87:74:3D:62:5D:EA:28:EF:B3:09:D7
            X509v3 Authority Key Identifier: 
                keyid:81:B5:05:E9:37:BD:70:51:84:10:96:21:80:2E:07:92:01:B9:F9:49
                DirName:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0
                serial:17:9C:B3:A9:00:00:00:00:00:9B

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection, 1.2.643.2.2.34.6, 1.2.643.5.1.24.2.2.5, TLS Web Server Authentication, 1.2.643.2.64.1.1.1
            X509v3 Certificate Policies: 
                Policy: 1.2.643.100.113.1
                Policy: 1.2.643.100.113.2

            X509v3 Subject Alternative Name: 
                DirName:/unstructuredAddress=\xD0\x92\xD0\xB5\xD0\xB1-\xD1\x81\xD0\xB5\xD1\x80\xD0\xB2\xD0\xB8\xD1\x81, DNS:portal.rosreestr.ru
            X509v3 Private Key Usage Period: 
                Not Before: Feb  1 12:28:23 2019 GMT, Not After: May  1 12:28:23 2020 GMT
            Signing Tool of Issuer: 
                0....P........ ".................. CSP" ............ 4.0 (.................... 2-Base)..."....................-.................... ................ "............................ .......... ".................. ...." ............ 2.0" (.............. .................... 5).O.................... ........................ ... ..../124-3570 .... 14.12.2018.O.................... ........................ ... ..../128-2983 .... 18.11.2016
            Signing Tool of Subject: 
                .4........ ".................. CSP" (............ 4.0)
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://uc.kadastr.ru/revoke/index/revoked4.crl

            Authority Information Access: 
                CA Issuers - URI:http://uc.kadastr.ru/root/index/root4.cer

    Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
         e4:c8:f2:32:e0:0c:a2:91:a1:39:af:d5:54:9b:be:a8:2b:93:
         07:64:59:c5:46:76:ce:72:1d:7b:14:fc:5c:9d:37:62:4f:b7:
         96:68:42:83:11:8d:39:b2:37:0d:07:5c:de:6e:b0:fc:ab:78:
         5d:2e:f5:56:51:58:85:75:c9:42

ghost commented 4 years ago

Hmm... It is master (not 1_1_0) branch of gost engine in image?

rnixik commented 4 years ago

Yes. It is. This commit is the latest in the image https://github.com/gost-engine/engine/commit/58a46b289d6b8df06072fc9c0304f4b2d3f4b051

ghost commented 4 years ago

Yea! Build from master branch is worked. Thanks!

rnixik commented 4 years ago

OK, original issue 'FILL_GOST_EC_PARAMS:unsupported parameter set' is resolved with update of OpenSSL and GOST Engine: docker pull rnix/openssl-gost.

ghost commented 4 years ago

@rnixik can you run commands in your docker image and check results?

> openssl s_client -cert your_certificate.pem -key your_private.key -CAfile your_cabundle.crt -connect portal.rosreestr.ru:4455 -state -debug
> curl -v -k https://portal.rosreestr.ru:4455 --cert your_certificate.pem --key your_private.key

rnixik commented 4 years ago

@zubosem I don't have your_* files.

ghost commented 4 years ago

Do you have own items? Can you trying with yours certificate and private key? Thanks

rnixik commented 4 years ago

No, I can't. I don't have any private keys with GOST.

gosha20777 commented 4 years ago

hi gays! Yep all works fine, but what about nginx?

I couldn’t get it to work. although I compiled it with the latest version of gost engine and openssl. as a result, I solved the problem like this: wrote a python server that simply calls curl with the necessary parameters. everything works pretty well, but I still don’t understand what to do with the nginx server. I'm interested in trying it ...

link to my nginx version https://github.com/gosha20777/openssl-gost/tree/master/nginx-gost link to my python curl-based server https://github.com/gosha20777/openssl-gost/tree/master/python-gost

rnixik commented 4 years ago

@gosha20777 This is working example https://github.com/rnixik/docker-openssl-gost/blob/master/nginx-gost/Dockerfile Try it again.

rnixik / docker-openssl-gost

curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set #8